Authentication of a remote user to a host in a data communication system

ABSTRACT

A method of authenticating a remote user, using a remote computer device, to a host computer in a data communication system. Verification values are stored at the host computer, which are used to authenticate a remote user upon receipt of data from the remote computer device. Further data, including a next set of verification values calculated by the remote computer device are also sent to the host computer.

This invention relates to authentication of a remote user to a host in adata communication system.

Such authentication normally requires the use of the user's secretpassphrase, which is entered into a remote computer device to enable thesystem to be used. A cryptographic function of the password is thengenerated by the remote computer device and sent to the host computer.The password may be processed by sophisticated asymmetric cryptographictechniques using public key/private key pairs. This provides greatsecurity, but needs considerable computing power at the remote computerdevice, and so is not suitable where that device has limitedcomputational power, being for example a smart card. In such a situationa symmetric cryptographic technique, which requires much lesscomputational power, may be used to process a one-time password to besent to the host. One such system is known as S/KEY, details of whichhave been published as Internet RFC 1760. In the S/KEY system, becauseeach password is used only once, an attacker who intercepts the passwordmay not be able to use it, except in a ‘host impersonation’ attack,where a false host obtains information from the remote user which can beused to impersonate the remote user to the genuine host on a lateroccasion. However, the S/KEY system has the important advantage that thehost does not need to store secret information about the remote userdevice. The information that is stored (known as public information) isnot in itself sufficient to enable an attacker to masquerade as theremote user.

An aim of the invention is to provide an authentication method whichretains the advantages of the S/KEY system while offering improvedresistance to host impersonation attacks.

According to a first aspect of the present invention, a method ofauthenticating a remote user to a host computer in a data communicationsystem where the remote user uses a remote computer device, comprisesstoring a set of verification values at the host computer, and during anauthentication process sending data from the remote computer device tothe host computer to enable authentication of the remote user by thehost computer using the set of verification values, together with dataincluding a next set of verification values calculated by the remotecomputer device.

With this method, the host computer stores the verification values, andno secret information about the remote user or the remote computerdevice. Further, because during an authentication process the remotecomputer device sends the host the set of verification values for thenext authentication process, any host impersonation attack must be ableto intercept or deduce two sets of verification values to be successful.This provides increased security.

Preferably, the host computer verifies the next set of verificationvalues before storing them in place of the previous set.

Preferably, the host computer stores a current data string and a currentset of verification values calculated by the remote computer deviceusing the current data string and a current set of secret keys chosenand stored by the remote computer device, and the method includes:

-   -   at the remote computer device, choosing a next data string and a        next set of secret keys, calculating the next set of        verification values using the next data string and the next set        of secret keys, and calculating a set of check values using the        next set of verification values and the current set of secret        keys;    -   the transmission of the next data string, the next set of        verification values and the set of check values in encrypted        form from the remote computer device to the host computer;    -   at the host computer, choosing at random, a subset of the        current set of keys, and obtaining that subset of the current        set of keys in encrypted form from the remote computer device;    -   at the host computer, verifying the corresponding subset of the        current set of verification values using the current data string        and the subset of the current set of keys;    -   then the verification of the corresponding subset of the set of        check values using the next data string and the subset of the        current set of keys; and    -   the replacement of the current data string and current set of        verification values with the next data string and next set of        verification values.

In this case only the data string and the verification values are storedat the host computer, which still does not store any secret informationabout the remote user.

Further, because the method uses the current keys to verify both thecurrent set of verification values and the next set of verificationvalues (via the check values), each time the remote user isauthenticated the host is provided with and has verified the next set ofverification values of the next authentication. Although secret keys aresent from the remote computer device to the host computer, only a subsetof the keys is sent, so that if this is intercepted by an attacker it isunlikely that the attacker has the subset required when trying toimpersonate the remote computer device to the host on a later occasion,so that the verification procedure at the host will fail. This thereforeoffers improved security.

The invention offers particular advantages where the encryption issymmetric, as it does not require a great deal of computational power.Further, the memory required by the remote computer device, for exampleon a smart card, can also be minimised.

Conveniently the verification values are calculated using a messageauthentication code (MAC) algorithm. The use of such an algorithm provesthat the information used to calculate the values is known, while notactually revealing it. Using such an algorithm also tends to minimisethe storage needed for the values.

In order to maintain the security of the method while minimising thedata that is stored, particularly by the remote user, the number ofsecret keys in a set, and the number in the subset, must be chosencarefully. In practice, the number of secret keys in a set will bebetween 35 and 200, with the number in the subset being less than orequal to half of the number in the whole set.

A further improvement to resistance against host impersonation attacksis made if the subset of the current set of secret keys is chosen by aprocedure involving both the remote computer device and the host.

The method may be implemented in different ways, according to whetherdata to be stored or the amount of data transmitted/number of datatransmission is to be limited.

In a first embodiment, where data storage is minimised, the hostcomputer stores one data string and one set of verification values,while the remote computer device stores one set of secret keys and thedata string, and during the authentication process there are threetransmissions of data, firstly from the remote computer device to thehost, sending the next data string, the next set of verification valuesand the set of check values, secondly from the host to the remotecomputer device sending the subset chosen at random, and thirdly fromthe remote computer device to the host, sending the subset of thecurrent set of keys.

In a second embodiment, where the number of data transmissions isminimised, the host computer stores current and pending data strings,the corresponding two sets of verification values, each calculated froma corresponding set of secret keys, and a set of check values, while theremote computer device stores the two sets of secret keys and thecurrent pending data strings, and during the authentication processthere are two transmissions of data, firstly from the host to the remotecomputer device sending the subset chosen at random and secondly fromthe remote computer device to the host, sending the subset of thecurrent set of keys, together with the next data string, the next set ofverification values and the corresponding set of check values.

In this embodiment, after verification of the subset of verificationvalues and check values, the current data string, the current set ofverification values and the set of check values are discarded, with thehost storing the pending and next data strings and sets of verificationvalues, and the next set of check values.

In either embodiment, the authentication process may also include thetransmission of the current data string from the host computer to theremote computer device, to check the synchronisation between the hostand the remote user.

In the first embodiment, this transmission of the current data stringforms the first data transmission, making four transmissions in all.

In the second embodiment, this transmission can be combined with thetransmission of the random subset, so that there are still only twotransmissions of data.

If the subset of the current set of secret keys is chosen by the remotecomputer device and the host, the number of data transmissions in thefirst embodiment remains the same, as the necessary data transfers canbe included in the first two transmissions. In the second embodiment,the number of data transmissions increases.

According to a second aspect of the invention, we provide a method ofauthenticating a remote user at a host computer in accordance with thefirst aspect of the invention.

Other aspects of the invention relate to the host computer arranged tooperate in accordance with the first aspect of the invention, a remotecomputer device arranged to operate in accordance with the first aspectof the invention, a computer network arranged to operate in accordancewith the first aspect of the invention and a system comprising at leasta host computer and a remote computer arranged to operate in accordancewith the method of the first aspect of the invention.

Further aspects of the invention relate to means for implementating theinstructions of the method of the first aspect of the inventionincluding providing instructions on a computer readable medium,providing instructions in the form of a computer readable signal andproviding instructions by way of a computer useable medium having thecomputer readable program code means embodied therein.

A still further aspect of the invention relates to a computer programcomprising code for carrying out the method of the first aspect of theinvention.

Embodiments of the invention will now be described in detail. In thedescription, the host computer is signified by H, and the remotecomputer device by U, and it is required to set up a method ofauthenticating a user of the remote computer device U to the hostcomputer H.

To start with, two system parameters t and r are selected, where t and rare positive integers satisfying r<t. The choice of these values affectsthe security of the method. A method for computing MACs (MessageAuthentication Codes) must also be agreed; this could be HMAC(Hash-based function MAC) or a block cipher based CBC-MAC (Cipher blockchaining MAC), as described for example in ISO/IEC 9797. Whatever methodis chosen must be resistant to both key recovery and forgery attacks. Infact, resistance to a slightly generalised version of key recovery isrequired. Key recovery attacks normally involve an attacker using anumber of (message, MAC) pairs to find the key used to generate theMACs. Here, the attacker should not be able to find any key which maps agiven message to a given MAC, regardless of whether or not it was theactual key used. By choosing the algorithm and algorithm parameterscarefully, it should be possible to achieve the desired attackresistance.

For the purpose of the discussion below M_(K)(X) is used to denote theMAC computed on data X using a secret key K.

Initially, the host H and remote computer device U have a secureexchange of information, where U supplies H with public information.

In a first embodiment, to set up the system the remote computer device Uchooses a set of t secret keys for the MAC algorithm, denoted by K₁, K₂,. . . , K_(t). U then chooses a random data string X and computesV _(t) =M _(K) _(t) (X)for every i (1≦i≦t). U then:

-   -   passes the values V₁, V₂, . . . , V_(t) and X to H, and    -   securely stores K₁, K₂, . . . , K_(t) and X.

H securely stores V₁, V₂, . . . , V_(t) and X as the public verificationinformation for U. The integrity of this information must be preserved,but secrecy is not required.

In use, the remote user wishes to authenticate him/herself to host H.The process operates in accordance with the following protocol.

1. H first sends X to U.

2. U first checks the correctness of X, in case of loss ofsynchronisation between U and H. If X is incorrect then, in certaincircumstances, U may check the previous value of X to see ifsynchronisation can be restored (as discussed further below). U thenchooses a new set of t secret keys: K′₁, K′₂, . . . , K′_(t) and selectsa new random value X′. U also computes two sequences of t values:V′ ₁ =M _(K) _(t) (X), W′ _(t) =M _(K) _(t) (V′ ₁ ∥V′ ₂ ∥. . . ∥V′_(t)), (1≦i≦t)

-   -   where here, as throughout, ∥ denotes concatenation of data        items.    -   U now sends (W′₁, W′₂, . . . , W′_(t)) to H.

3. H then chooses, at random, an r-subset of {1, 2, . . . ,t}, and sendsthis subset to U. U selects r secret keys K_(t1), K_(t2), . . . , K_(tr)in accordance with the r-subset sent by U.

4. U now sends the r secret keys K_(t1), K_(t2), . . . ,K_(tr) to H, aswell as the set of t values V′₁, V′₂, . . . ,V′_(t) and the value X′.

5. H now verifies the r MAC values V_(t1, V) _(t2), . . . , V_(tr) usingthe set of r keys supplied by U and the stored value of X. If all thesevalues are correct, then H also verifies the r MAC values W′_(t1),W′_(t2), . . . ,W′_(tr) using the set of r keys supplied by U and thevalues V′₁, V′₂, . . . , V′_(t) supplied by U previously. If all theseMACs are also correct, then H accepts U as valid, and replaces X, V₁,V₂, . . . , V_(t) with X′, V′₁, V′₂, . . . , V′_(t).

First, considering how t and r should be chosen, to avoid certainattacks, these values should be chosen so that the probability of athird party successfully guessing the subset {i₁, i₂, . . . ,i_(r)} inadvance is negligible.

That is we wish to arrange things so that $1/\begin{pmatrix}t \\r\end{pmatrix}$is negligible. $\quad\begin{pmatrix}t \\r\end{pmatrix}$denotes the number of ways of choosing r from t, that is t!/r!(t−r)!.

Given that t should be minimised (to minimise the storage and bandwidthrequirements) then this probability is minimised by choosing r=└t/2┘(where r=the integer part of t/2), since $\begin{pmatrix}t \\\left\lfloor {t/2} \right\rfloor\end{pmatrix} \geq \begin{pmatrix}t \\i\end{pmatrix}$for all i. Also, since ${{\sum\limits_{l = 0}^{t}\quad\begin{pmatrix}t \\i\end{pmatrix}} = 2^{t}},$this gives $\begin{pmatrix}t \\\left\lfloor {t/2} \right\rfloor\end{pmatrix} > {{2^{t}/\left( {t + 1} \right)}\quad{if}\quad t} > 1.$

Hence, if it is necessary to guarantee that the probability ofsuccessfully guessing the subset is at most 10⁻⁹ say, then choosing t≧35will suffice.

Next, looking at host impersonation attacks, suppose a third party, Esay, wishes to impersonate H to U with a view to learning enough toimpersonate U to H at some subsequent time. In step 3 of the protocol, Ecan only choose a random r-subset of {1, 2, . . . , t}, and E will thenlearn a set of r of the secret keys. However, at a later stage, when Eimpersonates U to H, E will only be successful if he/she knows all thekeys in the subset chosen by H. The odds of this will be acceptablysmall as long as t and r are chosen appropriately, as discussed above.

A man in the middle attack must also be considered. As with anyauthentication protocol, it will always be possible for a third party Eto simply sit between U and H in the communications channel, and relaymessages between the two. This only becomes a genuine threat if E isable to change some part of the messages, and/or to re-order them insome way. We now look at the various messages in turn, to see if this ispossible.

In step 2, E could change some or all of the MAC values W′_(t).

However, given that at this stage E will not know any of the keys K_(t),the probability that the modified values will be correct is negligiblysmall (since it is assumed that forgery attacks are not feasible).

In step 3, E could change the subset, but then the set of keys returnedin step 4 will not be correct.

In step 4, E could modify some or all of the secret keys K_(t) _(j) ,and/or some or all of the MAC values V′_(t). Successfully changing thevalues V′_(t) would require knowledge of the keys K′_(t), but none ofthese have yet been divulged by U. Changing the secret keys K_(t) _(j)is prevented by the fact that H can check them using the values V_(t)_(j) . (Changing these verification MACs would have required knowledgeof the previous set of keys, and changing these previous keys would haverequired changing the previous verification MACs, and so on).

There is, of course, a simple and effective ‘denial of service’ attackagainst the protocol. A third party E can simply engage in the protocolwith U by impersonating H. When U tries to authenticate him/herself tothe genuine H, U will have a different value X to that sent by H in thefirst step of the protocol.

There are two main ways in which this can be dealt with. Firstly, Ucould simply abandon the attempt to authenticate to H, and arrange forthe system to be re-initialised. Secondly, U could retain ‘old’ valuesof X (along with the associated set of keys) and use them to completethe authentication protocol. However, such a process has very seriousdangers, depending on the choices of t and r.

With r set to └t/2┘, even doing the process twice would completelydestroy the system security. A malicious third party E could impersonateH to U twice, using two disjoint r-subsets of {1,2, . . . ,t}. Thiswould mean that E would obtain all of the keys K₁,K₂ . . . , K_(t) (orall but one of them if t is odd). As a result, E would be able toimpersonate U to H any number of times.

Hence if the same set key is allowed to be used more than once then rand t need to be chosen appropriately. Also, U needs to implement acounter to limit the number of times any particular key set is used forthe authentication process. The limit for this counter will bedetermined by the choices for t and r, as discussed in more detailbelow.

Thus, one way of limiting the impact of denial of service attacks bymalicious third parties impersonating the host, is to allow a key set tobe used more than once. This may also be necessary if the authenticationprocess between user and host fails part way through, e.g. because of acommunications failure.

If a key set is to be used up to a maximum of c times (this beingenforced by the counter held by U) then it should be the case that anyparty with knowledge of c different random r-subsets of the set of tkeys K₁,K₂ . . . ,K_(t) should have a negligible probability of knowingall the members of another randomly chosen r-subset of keys.

To compute the necessary probabilities simplifying assumptions(pessimistic from the point of view of the legitimate users) are made.Suppose that, by bad luck or by host impersonation, all the c differentr-subsets are mutually disjoint. This requires the probability is smallthat a randomly chosen r-subset of {1,2, . . . ,t} does not contain anyelement from a specified subset of size t-cr.

So, suppose c, r and t are positive integers satisfying r(c+1)<t. If Sis a subset of {1,2, . . . ,t} of size cr, then the probability that R,a randomly chosen r-subset of {1,2, . . . ,t}, is a subset of S is equalto $\frac{\begin{pmatrix}{cr} \\r\end{pmatrix}}{\begin{pmatrix}t \\r\end{pmatrix}}.$

Then the requirement is that c, r and t should be chosen so that$\frac{{{cr}\left( {{cr} - 1} \right)}\quad\ldots\quad\left( {{cr} - r + 1} \right)}{t\left( {t - {1\quad\ldots\quad\left( {t - r + 1} \right)}} \right.}$which is bounded above by (cr/t)^(r), is small. As an example, puttingr=32 and t=64c, guarantees that the probability of a successful attackis less than 2⁻³².

The first embodiment of the protocol minimises the memory needed tostore the necessary data, but requires four transmissions of databetween the remote computer device and the host. In a second embodiment,steps 1 and 2 can be merged with steps 3 and 4 respectively, to give atwo-pass protocol. This is at the cost of increasing long-term storagerequirements. The second protocol operates as follows.

In the set up phase, the remote computer device U chooses two sets of tsecret keys for the MAC algorithm, the current set, denoted by K₁, K₂, .. . ,K_(t), and the pending set, denoted by K₁, K₂, . . . ,K_(t). Uchooses two random data strings used as key set indicators, denoted by Xand X′ (for the current and pending key sets). U now computesverification MACs for both the current and pending key sets asV _(t) =M _(K) _(t) (X) and V′ _(t) =M _(K′) _(t) (X′)for every i (1≦i≦t). U then also computes a further set of t MACsW′ _(t) =M _(K) _(t) (V′ ₁ ∥V′ ₂ ∥. . . ∥V′ _(t)), (1≦i≦t).

U then:

-   -   passes the two sets of verification values and the corresponding        key set indicators (V₁, V₂, . . . , V_(t), X) and (V′₁, V′₂, . .        . , V′_(t), X′) to H,    -   passes the t MACs (W′₁, W′₂, . . . , W′_(t)) to H, and    -   securely stores the two key sets with their respective        indicators, i.e.    -   (K₁, K₂, . . . , K_(t), X) and (K′₁, K′₂, . . . ,K′_(t),X′).

H securely stores the information received from U. The integrity of thisinformation must be preserved, but secrecy is not required.

In use, the remote user wishes to authenticate him/herself to host H.The process operates as follows.

1. H chooses a random r-subset of {1, 2, . . . ,t}, say {i₁, i₂, . . . ,i_(r)}, and sends this subset to U along with the current key setindicator X.

2. U first checks the correctness of X, in case of loss ofsynchronisation between U and H. If X is incorrect then, in certaincircumstances, U may check the previous value of X to see ifsynchronisation can be restored (as discussed previously).

U then chooses a new set of t secret keys: K″₁, K″₂, . . . ,K″_(t) andselects a new random key set indicator X″. U also computes two sequencesof t values:V″ _(t) =M _(K) _(i) (X″), W″ _(t) =M _(K) _(i) (V″ ₁ ∥V″ ₂∥. . .∥V″_(t)), (1≦i≦t).

U now sends X″, (V″₁, V″₂, . . . , V″_(t)) and (W″₁, W″₂, . . . ,W″_(t)) to H.

U also sends the r secret keys K_(t1), K_(t2), . . . , K_(tr) to H.

3. H now verifies the r MAC values V_(t1), V_(t2), . . . , V_(tr) usingthe set of r keys supplied by U and the stored value of X. If all thesevalues are correct, then H also verifies the r MAC values W′_(t1),W′_(t2), . . . , W′_(tr) using the set of r keys supplied by U and thestored values V′₁, V′₂, . . . ,V′_(t). If all these MACs are alsocorrect, then H accepts U as valid, and replaces:

-   -   X, V₁, V₂, . . . , V_(t) with X′, V′₁, V′₂, . . . , V′_(t),    -   X′, V′₁, V′₂, . . . , V′_(t) with X″, V″₁, V″₂, . . . , V″_(t),    -   W′₁, W′₂, . . . , W′_(t) with W″₁, W″₂, . . . , W″_(t)

It is also relevant to consider the storage, computation andcommunications complexity of the embodiments of the protocol.

-   -   Storage: for the first embodiment, the requirements for the host        are to store t MACs and a random value; the requirements for the        user are to store t keys. During execution of the protocol, the        remote user and host must both store a further 2t MACs, and the        user must also temporarily store an additional t keys. For the        second embodiment, the long term storage requirements for host        and user increase to 3t MACs and 2t secret keys respectively.        Further, if the user retains ‘old’ key sets for        resynchronisation purposes, then this will be at a cost of t        keys, a random value and a usage counter for each retained old        set.    -   Computation: for both embodiments, the host verifies 2r MACs and        chooses one random r-subset of {1, 2, . . . , t}, and the user        generates 2t MACs.    -   Communications: the user sends the host a total of 2t MACs, one        random value and r secret keys, and the host sends the user one        r-subset of {1, 2, . . . , t}.

To see what this might mean in practice, suppose the first embodiment isused in such a way that a particular key set can be used up to c=3times, and that the user retains one ‘old’ key set for resynchronisationpurposes. We thus choose r=32 and t=196. Suppose that the MAC in use isHMAC based on SHA-1 (secure hash algorithm—see ISO/IEC 9792-2 and10118-3) with MACs and keys of 160 bits each, suppose also that Xcontains 128 bits. Then the user must store 2t keys, two random valuesand a counter (which we ignore since it will take negligible space)—thisamounts to 392×20+32 bytes, i.e. just under 8 kbytes, with an additional12 kbytes of short term storage needed during protocol execution). Thehost must store approximately 4 kbytes of MACs, with an additional 8kbytes of short term storage needed during protocol execution. Duringuse of the protocol the user will need to compute 392 MACs and the host64 MACs. The total data to be exchanged between host and user during theprotocol amounts to around 8.5 kbytes.

A further modification to both embodiments can be used to improvesecurity. In cases where c>1, i.e. where key sets may be used more thanonce, a malicious entity impersonating the host is free to choose thesubsets {1, 2, . . . , r} disjointly so as to learn the maximum numberof secret keys. This maximises the (small) probability this maliciousentity will have of impersonating the user to the genuine host. To avoidthis, i.e. to increase the difficulty of launching a host impersonationattack, we can modify the protocol so that neither the remote user northe host chooses the r-subset {i₁, i₂, . . . , i_(t)} of {1, 2, . . . ,t}. This can be achieved by prefixing the second embodiment with twoadditional messages, and also making use of an appropriate one-way,collision-resistant hash-function, that is, one where the input to thehash-function cannot be reconstructed from the output, and where it iscomputationally infeasible to find two different inputs that willproduce the same output. These two additional messages can be mergedwith the first two messages of the first embodiment.

The revised protocol of the second embodiment is as follows:

1. H chooses a random value r_(H), of length comparable to the keylength in use, computes h(r_(H)) (where h is a pre-agreedhash-function), and sends h(r_(H)) to U.

2. U chooses a random value r_(U), of length the same as r_(H), andsends it to H.

3. H computes h(r_(H)∥r_(U)) and uses this to seed a pseudo-randomnumber generator (PRNG) of appropriate characteristics to generate anr-subset {i₁, i₂, . . . , i_(r)} of {1, 2, . . . , t}—this PRNG could,for example, be based on h. H now sends r_(H) and X to U.

4. U first checks r_(H) using the value h(r_(H)) sent previously. U nowre-computes the r-subset {i₁, i₂, . . . , i_(r)}, and continues as instep 2 of the second embodiment.

Note that, by sending h(r_(H)) in the first step, H commits to therandom value r_(H) without revealing it. This prevents either partylearning the other party's random value before choosing their own. This,in turn, prevents either party choosing even a small part of ther-subset. Further, although this scheme lengthens the protocol, it alsoslightly reduces the communications complexity, since the r-subset nolonger needs to be transferred.

The authentication protocols described have the advantage of usingsymmetric cryptography and only require public information to be storedat the verifying host. The computational and storage requirements arenon-trivial, but may still be potentially attractive to designers oflow-cost remote user authentication devices who wish to avoid thecomplexity of implementing digital signatures.

1-20. (Canceled)
 21. A method of authenticating a remote user to a hostcomputer in a data communication system where a remote computer deviceis used by said remote user, in which said host computer stores acurrent data string and a current set of verification values, saidcurrent set of verification values calculated by said remote computerdevice using said current data string and a current set of secret keys,said current set of secret keys being chosen and stored by said remotecomputer device, said method including: at said remote computer device,choosing a next data string and a next set of secret keys, calculatingsaid next set of verification values using said next data string andsaid next set of secret keys, and calculating a set of check valuesusing said next set of verification values and said current set ofsecret keys; the transmission of said next data string, said next set ofverification values and said set of check values in encrypted form fromsaid remote computer device to said host computer; at said hostcomputer, choosing at random, a subset of said current set of keys, andobtaining that subset of said current set of keys in encrypted form fromsaid remote computer device; at said host computer, verifying saidcorresponding subset of said current set of verification values usingsaid current data string and said subset of said current set of keys;then the verification of said corresponding subset of said set of checkvalues using said next data string and said subset of said current setof keys; and the replacement of said current data string and current setof verification values with said next data string and next set ofverification values.
 22. A method of authenticating a remote user to ahost computer as claimed in claim 21, in which said host computerverifies said next set of verification values before storing them inplace of said previous set.
 23. A method of authenticating a remote userto a host computer as claimed in claim 21, in which a messageauthentication code algorithm is used to calculate each set ofverification values.
 24. A method of authenticating a remote user to ahost computer as claimed in claim 21, in which the number of said secretkeys in a set is between 35 and 200, and said number of secret keys insaid subset is less than or equal to half of the number in said wholeset.
 25. A method authenticating a remote user to a host computer asclaimed in claim 21, in which a procedure involving both said remotecomputer device and said host computer is used to chose the subset ofsaid current set of secret keys.
 26. A method of authenticating a remoteuser to a host computer as claimed in claim 21, in which said hostcomputer stores one data string and one set of verification values,while said remote computer device stores one set of secret keys and saiddata string, and during said authentication process there are threetransmissions of data, firstly from said remote computer device to saidhost, sending said next data string, said next set of verificationvalues and said set of check values, secondly from said host to saidremote computer device sending said subset chosen at random, and thirdlyfrom said remote computer device to said host, sending said subset ofsaid current set of keys.
 27. A method of authenticating a remote userto a host computer as claimed in claim 21, in which said host computerstores current and pending data strings, the corresponding two sets ofverification values, each calculated from a corresponding set of secretkeys, and a set of check values, while said remote computer devicestores said two sets of secret keys and said current and pending datastrings, and during said authentication process there are twotransmissions of data, firstly from said host to said remote computerdevice sending said subset chosen at random and secondly from saidremote computer device to said host, sending said subset of said currentset of keys, together with said next data string, said next set ofverification values and said corresponding set of check values.
 28. Amethod of authenticating a remote user to a host computer as claimed inclaim 27, in which, after verification of said subset of verificationvalues and check values, said current data string, said current set ofverification values and said set of check values are discarded, withsaid host storing said pending and next data strings and sets ofverification values, and said next set of check values.
 29. A method ofauthenticating a remote user to a host computer as claimed in claim 26,in which said authentication process also includes said transmission ofsaid current data string from said host computer to said remote computerdevice, to check said synchronisation between said host computer andsaid remote user.
 30. A method of authenticating a remote user to a hostcomputer as claimed in claim 6, in which said transmission of saidcurrent data string forms a further data transmission preceding saidthree transmissions of data.
 31. A method of authenticating a remoteuser to a host computer as claimed in claim 27, in which saidtransmission of said current data string is combined with saidtransmission of said random subset.
 32. A host computer arranged tooperate in accordance with the appropriate parts of the method of claim21.
 33. A remote computer device arranged to operate in accordance withthe appropriate parts of the method of claim
 21. 34. A computer readablemedium containing instructions to allow either a host computer or remotecomputer device to carry out the appropriate parts of the methodaccording to claim
 21. 35. A computer network in which computersassociated with said network can be arranged to operate as said hostcomputer and remote computer device in accordance with the method ofclaim
 21. 36. A computer readable signal containing instructions toallow either a host computer or remote computer device to carry out themethod according to claim
 21. 37. A method of authenticating a remoteuser at a host computer in accordance with the method of claim
 21. 38. Acomputer useable medium having computer readable program code meansembodied therein to enable a remote user to be authenticated to a hostcomputer in accordance with the method of claim
 21. 39. A system forauthenticating a remote user to a host computer comprising at least, aremote computer, a host computer, and a processor wherein said processorcarries out instructions in accordance with the method of claim
 21. 40.A computer program to allow either a host computer or remote computerdevice to authenticate a remote user to a host computer comprising codefor carrying out the appropriate parts of the method of claim 21.